In many large enterprises, the CISO performs executive functions in specification and verification of the protection program but does not directly manage/perform any execution of protection functions. This is done by operations under the CIO.
The CISO can manage/perform protection activities, but not specify or verify
When the CISO works for the CIO, they are often put in a position of operating the protection program instead of specifying and verifying it. This generally means that the CISO is in too low a position for the job to get properly done, however; in smaller enterprises or immature ones, this may be the best solution to getting the most knowledge to the protection program.
The CISO can mix combinations of management/performance and specification and verification, but not for the same item.
In some more mature enterprises, the CISO manages many elements of the business functions and assurance processes and only specifies and verify the operational aspects run by the CISO.
The CISO has direct peer-to-peer contact with the heads of the area of the enterprise.
The CISO should generally have peer-to-peer relationships with those in charge of each area involved in information protection. If this is not in place, it create failures in the protection program that ultimately result in large-scale protection failures. This is a heated political issue in many enterprises, as the CEO places the CISO under the CIO, and the CIO prevents the CISO from doing their job or communicating with other appropriate individuals required in order for the protection program to operate properly. The CEO or COO is responsible for such failures and they should act to mitigate the situation if it exists.
The CISO is a member of an executive security counsel including executives from the area.
In cases where the CISO operates part of the program by managing the direct execution of the functions, they should be a member of the executive level counsel that makes the decisions on how to specify the requirements and verifies proper operation. This is necessary in order to have the information required to get the job done effectively.
The roles of the security lead are limited by requirements for separation of duties. In particular, any one individual who specifies, performs, and verifies any particular activity is essentially able to subvert that activity in its entirety. For that reason, any activity that is important enough to assure should be assured with separation of duties. Indeed, as risk goes up, more separation is reasonably applied. Thus the decision is about how to separate the duties of the security lead.
Specify:The security lead can specify protection
Specifying an activity implies the ability to bound its scope and mandate its implementation. Generally, specifications are not so complete or perfect that they are implementable as is in performance.
Perform: The security lead can perform protection
Performing an activity implies that specific actions are taken. They are supposed to reflect the specification, but do not always precisely do so.
Verify: The security lead can verify protection
Verifying an activity implies determining whether and to what extent, the specification was properly performed or the performance properly varied from the specification. Hindsight is often touted as 20/20, but then history is often rewritten by the victors.